Frappe Framework SQL Injection Vulnerability in add_tag Function

A SQL injection vulnerability has been identified in the Frappe Framework versions 15.x.x prior to 15.72.0 and 14.x.x prior to 14.96.10. The issue arises in the add_tag function within the tag.py file, where user input in the dt parameter is not properly validated before being used in a SQL query. This flaw allows attackers to inject malicious SQL, potentially leading to unauthorized data access.

Impact

Exploitation of this vulnerability allows for error-based SQL injection, where an attacker can manipulate SQL queries to extract information from the database. In this case, data such as the database version could be retrieved.

Reproduction

The vulnerability can be reproduced by sending a request to the Frappe API that includes a crafted 'dt' parameter. This parameter should be formatted to inject SQL commands into the query execution process. The SQL injection can be verified by checking the SQL log for evidence of successful injection, such as the retrieval of database version information.

Remediation

Users are advised to upgrade to Frappe versions 15.72.0 or 14.96.10, where this vulnerability has been patched.